Hi,
I am going to 0-day NMU this package.
The attached bug fixes this issue.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/lha_1.14i-10.1_1.14i-10.2.patch
Kind regards
Nico
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all tex
Sorry, the problem is that the tempfile is reused. From
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=236585 :
"lha doesn't open temporary files *exclusively*"
Ignore the prior message.
luciano
signature.asc
Description: This is a digitally signed message part.
As I understand this, the problem exist in the mktemp() used in
src/lharc.c:932 and src/lharc.c:951. The manpage mktemp(3) says:
"Never use mktemp(). Some implementations follow 4.3BSD and replace XX by
the current process ID and a single letter, so that at most 26 different
names can be
Package: lha
Severity: grave
Tags: security
Justification: user security hole
Hi
There is a CVE[0] issued against lha. It also leads to a patch[1], which
apparently fixes the problem. Could you please investigate this.
The CVE text says:
lharc.c in lha does not securely create temporary files, w
4 matches
Mail list logo
